Knox Framework

The Knox Framework contains numerous changes Samsung has made in the operating system and is the central location and interface point for device management, Knox services, and Knox unique APIs.

Device management

Since its inception, Samsung Knox has been at the forefront of developing Android mobile devices for enterprise use. Over time, we’ve refined our policies and features to enhance the management and capabilities of our devices through the collaboration of three major frameworks:

• Android Management API (AMAPI): The default management framework supported on all Android Enterprise enrolled devices. This includes many device policies as well as numerous device level APIs. For more information on Android Enterprise, please refer to their documentation.
• Knox Platform for Enterprise (KPE): A set of system services which allow for numerous APIs, device policies and controls to be set for device under management. KPE is supported all device deployment modes beyond just Android Enterprise. For more information see the the Knox Platform for Enterprise documentation.
• Knox Service Plugin (KSP): A framework that works directly with MDM, EMM, and UEMs to provide day zero support of new Knox device policies and controls for interfacing with KPE. For more information see the following documentation.

Knox Mobile Enrollment

Given the scale of mobile deployments within enterprises, a seamless device enrollment experience is crucial. Today, admins can use Android Zero Touch on Samsung devices for a standard enrollment experience. However, to streamline the enrollment process and activate and meet numerous security requirements, we recommend using Knox Mobile Enrollment (KME).

Knox Mobile Enrollment provides an out-of-box solution for IT admins to enroll devices in their EMM or UEM tool. With numerous controls, admins can ensure that devices are properly set up in diverse IT ecosystems such as on-premises or low-connectivity environments. Additionally, Knox Mobile Enrollment is the only method that allows you to onboard devices to the Knox Cloud Services, included in the Samsung Knox Suite.

For more information on how to setup and deploy Knox Mobile Enrollment, see the Knox Mobile Enrollment admin guide. Additionally, you can view a list of all Knox features on Android on the Samsung Knox official site.

Key security features

Knox Mobile Enrollment is the only enrollment method that allows for some of Knox’s key security features to be enabled. Some unique security advantages of Knox Mobile Enrollment include:

• Knox Device Health Attestation: During device enrollment, Knox Device Health Attestation is used to verify the device being enrolled into the EMM or Mobile Device Management (MDM) is in an approved state.
• Knox DualDAR: Knox DualDAR adds two separate layers of data encryption to devices. To enable Knox DualDAR, devices must have the proper device policy set during enrollment, which can only be enabled using Knox Mobile Enrollment.
• Setting root or intermediate certificate: During device enrollment, Knox Mobile Enrollment allows IT admins to setup a custom certificate with the root certificate storage, which can be a key requirement for high security networks requiring specific certificates to connect.
• Automatic credentials: IT admins can set prepopulated credentials for a user when they first sign in to their device.
• Advanced device lock: Admins can leverage device locking features, such as timeout periods for enrollment timeframes, in the event the device is offline. In addition, admins can lock the device if it is stolen.